b'              Computer Security Roles and Responsibilities\n                and Training Should Remain Part of the\n                 Computer Security Material Weakness\n\n                                 September 2004\n\n                       Reference Number: 2004-20-155\n\n\n\n\nThis report has cleared the Treasury Inspector General for Tax Administration disclosure\nreview process and information determined to be restricted from public release has been\n                              redacted from this document.\n\x0c                                             DEPARTMENT OF THE TREASURY\n                                                   WASHINGTON, D.C. 20220\n\n\n\nINSPECTOR GENERAL\n     for TAX\n  ADMINISTRATION\n\n\n\n\n                                                  September 29, 2004\n\n\n      MEMORANDUM FOR CHIEF INFORMATION OFFICER\n                     CHIEF, MISSION ASSURANCE\n\n\n      FROM:                         Gordon C. Milbourn III\n                                    Acting Deputy Inspector General for Audit\n\n      SUBJECT:                      Final Audit Report - Computer Security Roles and\n                                    Responsibilities and Training Should Remain Part of the\n                                    Computer Security Material Weakness (Audit # 200420003)\n\n\n      This report presents the results of our review to determine whether the Internal\n      Revenue Service (IRS) has effectively resolved the vulnerabilities associated with its\n      computer security material weakness. The IRS has categorized this material weakness\n      into nine areas,1 three of which are addressed in this report: security roles and\n      responsibilities, segregation of duties, and security training. From our perspective,\n      these three areas collectively address the root causes of many of the security\n      weaknesses covered in the other six material weakness areas reported by the IRS.\n      The Department of the Treasury requested that the Treasury Inspector General for Tax\n      Administration (TIGTA) provide an independent assessment of the effectiveness of the\n      IRS\xe2\x80\x99 actions to address its computer security material weakness. This review is one of\n      five reviews conducted this fiscal year to meet this request.\n      In summary, the IRS has taken some key steps to address security roles and\n      responsibilities, segregation of duties, and training. Efforts on segregation of duties, in\n      particular, justify closure of this area from the computer security material weakness.\n      The IRS has effectively defined and segregated security tasks among key employees to\n      reduce the opportunity for any one person to perpetrate and conceal inappropriate or\n      fraudulent activities. Existing security weaknesses were not attributed to inadequate\n      segregation of duties.\n      1\n       The computer security material weakness consists of (1) network access controls; (2) key computer applications\n      and system access controls; (3) software configuration; (4) functional business, operating, and program units\n      security roles and responsibilities; (5) segregation of duties between system and security administrators;\n      (6) contingency planning and disaster recovery; (7) monitoring of key networks and systems; (8) security training;\n      and (9) certification and accreditation.\n\x0c                                            2\n\nMuch work remains, though, before the roles and responsibilities and training areas are\nclosed. Until these areas are adequately addressed, the IRS will have little chance of\nimplementing effective security controls, and computer security will remain a material\nweakness.\nWhile security roles and responsibilities have been defined, we continue to identify\nsignificant security weaknesses throughout the IRS that we attribute to key employees\nnot performing those responsibilities. For example, vulnerabilities continue to exist on\nthe network and in sensitive systems across the IRS. Patch management and/or audit\ntrail weaknesses are prevalent in the Mainframe, UNIX, and Windows computer\nenvironments. In addition, business owners have not carried out their responsibilities to\naccredit their systems and to annually assess the security controls of those systems.\nThe IRS has initiated actions to address the training material weakness area; however,\nmore actions are needed before it is downgraded or closed. Several steps were not\ncompleted or were not effective. Specifically, the following steps need further\nimprovement: identifying employees with key security responsibilities, effectively\ncommunicating the security core training curriculum and training courses, and\nperiodically monitoring for course participation.\nWhile we recommended the Chief, Mission Assurance, remove the segregation of\nduties area from the computer security material weakness, we recommended the\nsecurity roles and responsibilities area remain part of the computer security material\nweakness until corrective actions related to prior TIGTA recommendations have been\naddressed. The Chief, Mission Assurance, should also keep the security training area\nas part of the computer security material weakness until all employees with key security\nresponsibilities are identified, monitored, and adequately trained. We also\nrecommended the Chief Information Officer ensure his employees with key security\nresponsibilities are adequately trained to perform security duties and tasks.\nManagement\xe2\x80\x99s Response: Management\xe2\x80\x99s response was due on September 27, 2004.\nAs of September 28, 2004, management had not responded to the draft report.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems\nPrograms), at (202) 622-8510.\n\x0c              Computer Security Roles and Responsibilities and Training Should\n                 Remain Part of the Computer Security Material Weakness\n\n\n                                                  Table of Contents\n\n\nBackground ............................................................................................... Page 1\nBetter Implementation of Roles and Responsibilities Is Needed\nBefore This Material Weakness Area Is Downgraded ............................... Page 3\n         Recommendation 1: .......................................................................Page 6\n\nEfforts on the Segregation of Duties Material Weakness\nArea Justify Closure .................................................................................. Page 6\n         Recommendation 2: .......................................................................Page 7\n\nMore Actions Are Needed Before the Security Training\nMaterial Weakness Area Is Downgraded .................................................. Page 7\n         Recommendation 3: .......................................................................Page 10\n         Recommendations 4 and 5: ...........................................................Page 11\n\nAppendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology....................... Page 12\nAppendix II \xe2\x80\x93 Major Contributors to This Report ....................................... Page 14\nAppendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 15\n\x0c             Computer Security Roles and Responsibilities and Training Should\n                Remain Part of the Computer Security Material Weakness\n\n                                   The Federal Managers\xe2\x80\x99 Financial Integrity Act of 19821\nBackground\n                                   requires that each agency conduct annual evaluations of its\n                                   systems of internal accounting and administrative controls\n                                   and submit an annual statement on the status of the agency\xe2\x80\x99s\n                                   system of management controls. As part of the evaluations,\n                                   agency managers identify control areas that can be\n                                   considered material or significant weaknesses.\n                                   The Department of the Treasury has defined a material\n                                   weakness as, \xe2\x80\x9cshortcomings in operations or systems which,\n                                   among other things, severely impair or threaten the\n                                   organization\xe2\x80\x99s ability to accomplish its mission or to prepare\n                                   timely, accurate financial statements or reports.\xe2\x80\x9d The Office\n                                   of Management and Budget (OMB) monitors progress on\n                                   these weaknesses.\n                                   When the Internal Revenue Service (IRS) Security Program\n                                   evaluated the state of security within the IRS in 1997, it\n                                   noted the lack of detailed security policies, procedures,\n                                   standards, and requirements. It found that IRS officials\n                                   were interpreting policies and procedures in a variety of\n                                   ways. In some cases, IRS officials were unaware of, or\n                                   were ignoring, the policies and procedures, resulting in an\n                                   undisciplined security environment. As a result, the IRS\n                                   declared five security areas as material weaknesses.2\n                                   In October 2002, the IRS combined the five security\n                                   material weaknesses that were mostly based on facility\n                                   types into one material weakness. Its goal was to address\n                                   computer security from an enterprise-wide approach and\n                                   better align the weakness areas with the new organizational\n                                   structure. The IRS further categorized the computer\n                                   security material weakness into nine areas.3\n\n\n                                   1\n                                     31 U.S.C. \xc2\xa7\xc2\xa7 1105, 1113, 3512 (2000).\n                                   2\n                                     The five material weaknesses were Computing Center Security, Field\n                                   Office Security, Service Center Security, Other IRS Facility Security,\n                                   and System Certification.\n                                   3\n                                     The computer security material weakness consists of (1) network\n                                   access controls; (2) key computer applications and system access\n                                   controls; (3) software configuration; (4) functional business, operating,\n                                   and program units security roles and responsibilities; (5) segregation of\n                                   duties between system and security administrators; (6) contingency\n                                   planning and disaster recovery; (7) monitoring of key networks and\n                                   systems; (8) security training; and (9) certification and accreditation.\n                                                                                                     Page 1\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                      The Department of the Treasury requested that the Treasury\n                      Inspector General for Tax Administration provide an\n                      independent assessment of the effectiveness of the IRS\xe2\x80\x99\n                      actions to address the computer security material weakness.\n                      This report is one of five reviews we conducted this fiscal\n                      year to meet this request and addresses the following three\n                      weaknesses:\n                          1) Computer security roles and responsibilities were\n                             not defined for functions in the business units and\n                             the office of the Chief Information Officer as\n                             required by the Federal Information Security\n                             Management Act (FISMA).4\n                          2) Duties were not segregated between system\n                             administrator and security administrator\n                             responsibilities.\n                          3) Computer security training was not provided to\n                             employees who are assigned key security\n                             responsibilities.\n                      From our perspective, the three areas collectively address\n                      the root causes of many of the security weaknesses covered\n                      in the other six material weakness areas reported by the IRS\n                      (network access, application and system access, system\n                      software configuration, audit trails, disaster recovery, and\n                      certification and accreditation of sensitive systems).\n                      This audit was conducted in the Office of Mission\n                      Assurance and the Information Technology Services\n                      (ITS) organization at the IRS Headquarters in\n                      New Carrollton, Maryland; the Brookhaven, New York ,\n                      and Memphis, Tennessee Campuses;5 and the\n                      Martinsburg, West Virginia, and Memphis, Tennessee,\n                      Computing Centers6 during the period August 2003 through\n                      May 2004. The audit was conducted in accordance with\n                      Government Auditing Standards. Detailed information on\n                      our audit objective, scope, and methodology is presented in\n\n                      4\n                        Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n                      5\n                        IRS campuses process paper and electronic submissions, correct errors,\n                      and forward data to the Computing Centers for analysis and posting to\n                      taxpayer accounts.\n                      6\n                        IRS Computing Centers support tax processing and information\n                      management through a data processing and telecommunications\n                      infrastructure.\n                                                                                      Page 2\n\x0c            Computer Security Roles and Responsibilities and Training Should\n               Remain Part of the Computer Security Material Weakness\n\n                                  Appendix I. Major contributors to the report are listed in\n                                  Appendix II.\n                                  IRS policy requires all IRS employees and contractors to be\nBetter Implementation of Roles\n                                  responsible for ensuring the confidentiality, integrity, and\nand Responsibilities Is Needed\n                                  availability of data processed or stored on the computer\nBefore This Material Weakness\n                                  systems. Each employee and contractor has a security role,\nArea Is Downgraded\n                                  sometimes several roles, with a corresponding set of routine\n                                  responsibilities.\n                                  The IRS has assigned technical computer security\n                                  responsibilities to system administrators and security\n                                  administrators. Generally, system administrators are\n                                  responsible for day-to-day systems operations, and security\n                                  administrators are responsible for specific security tasks and\n                                  security oversight. The ITS organization has responsibility\n                                  for ensuring system administrators carry out their\n                                  system-related duties, while the Office of Mission\n                                  Assurance has responsibility for providing oversight and\n                                  guidance when needed.\n                                  Other employees also have security-related responsibilities.\n                                  For example, business owners must conduct annual security\n                                  self-assessments of their systems, as required by the\n                                  FISMA. Self-assessments provide a method for agency\n                                  officials to determine the current status of their information\n                                  security programs and, where necessary, establish a target\n                                  for improvement. In addition, business owners are required\n                                  to accredit their information systems at least once every\n                                  3 years.\n                                  National Institute of Standards and Technology (NIST)\n                                  guidance states that a successful information technology\n                                  (IT) security program includes: 1) developing an IT\n                                  security policy that reflects business needs tempered by\n                                  known risks; 2) informing users of their IT security\n                                  responsibilities, as documented in agency security policy\n                                  and procedures; and 3) establishing processes for\n                                  monitoring and reviewing the program.7\n                                  The IRS planned to complete the following actions to\n                                  address the roles and responsibilities material weakness\n                                  area:\n\n                                  7\n                                   NIST Special Publication 800-50, Building an Information Technology\n                                  Security Awareness and Training Program (October 2003).\n                                                                                              Page 3\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                         \xe2\x80\xa2   Define security roles and responsibilities.\n                         \xe2\x80\xa2   Finalize procedures and guidelines for security roles\n                             and responsibilities. Pilot test security roles and\n                             responsibilities at model facilities.\n                         \xe2\x80\xa2   Complete rollout schedules and the training program\n                             needed to execute and enforce security standards.\n                         \xe2\x80\xa2   Implement security procedures and guidelines.\n                         \xe2\x80\xa2   Conduct compliance assessments to ensure roles and\n                             responsibilities are effectively implemented.\n                      The IRS has taken some key steps to address the security\n                      roles and responsibilities material weakness area by\n                      completing the following actions:\n                         \xe2\x80\xa2   Developed a roles and responsibilities matrix\n                             incorporating guidance from the Internal Revenue\n                             Manual (IRM), NIST, public laws, and regulations.\n                         \xe2\x80\xa2   Verified that the security roles and responsibilities\n                             matrix was appropriate, reasonable, and complete.\n                         \xe2\x80\xa2   Obtained feedback on the roles and responsibilities\n                             matrix from business units and other IRS\n                             stakeholders.\n                         \xe2\x80\xa2   Defined physical security roles and responsibilities.\n                         \xe2\x80\xa2   Prepared draft handbooks on the approved roles and\n                             responsibilities for executives, managers, technical\n                             employees, and users.\n                         \xe2\x80\xa2   Distributed draft handbooks to executives, managers,\n                             technical employees, and users.\n                         \xe2\x80\xa2   Carried out compliance assessments but omitted\n                             some functions from this process. The IRS deferred\n                             some compliance assessments due to organizational\n                             issues and time constraints. In addition, these\n                             compliance checks were mainly based on interviews\n                             with system administrators and security specialists\n                             and did not include any comprehensive testing.\n                      Despite these actions, existing weaknesses in other\n                      computer security material weakness areas indicate that\n                      security roles and responsibilities have not been effectively\n\n                                                                              Page 4\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                      implemented. These weaknesses existed because\n                      responsible employees were not carrying out their duties as\n                      prescribed in the IRM or other guidance. Specifically, we\n                      found:\n                          \xe2\x80\xa2    Network administrators did not ensure routers were\n                               configured to established standards.\n                          \xe2\x80\xa2    System administrators did not correct known\n                               vulnerabilities on mainframe, UNIX, and Windows\n                               computer systems and did not install security\n                               patches to vulnerable UNIX and Windows computer\n                               systems, as required by established procedures.\n                          \xe2\x80\xa2    Contractors did not install security patches on the\n                               modernized security system.8\n                          \xe2\x80\xa2    Security specialists did not review audit trails on\n                               UNIX computer systems and modernized systems.9\n                          \xe2\x80\xa2    Business owners did not accredit their systems and\n                               did not complete annual self-assessments as required\n                               by the FISMA.10\n                      Not carrying out these crucial responsibilities increases the\n                      likelihood that intruders or insiders could access\n                      unauthorized information or disrupt computer operations\n                      without detection. Until roles and responsibilities are\n                      effectively carried out, the IRS will have little chance of\n                      implementing effective security controls and computer\n                      security will remain a material weakness.\n                      We believe the breakdowns in roles and responsibilities\n                      occurred because IRS employees are not being held\n                      accountable for carrying out their security responsibilities.\n                      8\n                        The three issues caused by network administrators, system\n                      administrators, and contractors were presented in our audit report,\n                      Network Access, System Access, and Software Configuration Should\n                      Remain Part of the Computer Security Material Weakness (draft report\n                      issued August 17, 2004).\n                      9\n                        The issue on audit trails caused by security specialists was presented in\n                      our audit report, The Use of Audit Trails to Monitor Key Networks and\n                      Systems Should Remain Part of the Computer Security Material\n                      Weakness (Reference Number 2004-20-131, dated September 2004).\n                      10\n                         The issue caused by business owners was presented in our audit\n                      report, The Certification and Accreditation of Computer Systems Should\n                      Remain in the Computer Security Material Weakness (Reference\n                      Number 2004-20-129, dated August 2004).\n                                                                                         Page 5\n\x0c           Computer Security Roles and Responsibilities and Training Should\n              Remain Part of the Computer Security Material Weakness\n\n                                 While the IRS has required all employees to complete\n                                 annual UNAX11 and computer security awareness briefings,\n                                 it has not ensured specific security responsibilities have\n                                 been adequately emphasized throughout the IRS, as required\n                                 by the FISMA.\n                                 The other related audit reports on the IRS\xe2\x80\x99 computer\n                                 security material weakness contain recommendations to\n                                 address the specific breakdowns in security roles and\n                                 responsibilities. Therefore, we are not repeating those\n                                 recommendations in this report.\n                                 Recommendation\n\n                                 1. The Chief, Mission Assurance, should keep security\n                                    roles and responsibilities as part of the computer\n                                    security material weakness until corrective actions\n                                    related to recommendations in our prior report12 on\n                                    security roles and responsibilities and in the\n                                    aforementioned material weakness reports13 have been\n                                    addressed.\n                                 Management\xe2\x80\x99s Response: Management\xe2\x80\x99s response was due\n                                 on September 27, 2004. As of September 28, 2004,\n                                 management had not responded to the draft report.\n                                 The Department of the Treasury requires bureaus to divide\nEfforts on the Segregation of\n                                 and separate duties and responsibilities of critical functions\nDuties Material Weakness Area\n                                 among different individuals to reduce the risk of fraudulent\nJustify Closure\n                                 or criminal activity. Segregation of duties should prevent a\n                                 single individual from being able to disrupt or corrupt a\n\n                                 11\n                                    UNAX is synonymous with Unauthorized Access and refers to the\n                                 security requirement that employees access taxpayer data only for\n                                 official purposes. UNAX was established by the Taxpayer Browsing\n                                 Protection Act, 26 U.S.C.A. \xc2\xa7\xc2\xa7 7213, 7213A, 7431 (West Supp. 2003).\n                                 12\n                                    Inadequate Accountability and Training for Key Security Employees\n                                 Contributed to Significant Computer Security Weaknesses (Reference\n                                 Number 2004-20-027, dated January 2004).\n                                 13\n                                    Network Access, System Access, and Software Configuration Should\n                                 Remain Part of the Computer Security Material Weakness (draft report\n                                 issued August 17, 2004), The Certification and Accreditation of\n                                 Computer Systems Should Remain in the Computer Security Material\n                                 Weakness (Reference Number 2004-20-129, dated August 2004), and\n                                 The Use of Audit Trails to Monitor Key Networks and Systems Should\n                                 Remain Part of the Computer Security Material Weakness (Reference\n                                 Number 2004-20-131, dated September 2004).\n                                                                                               Page 6\n\x0c             Computer Security Roles and Responsibilities and Training Should\n                Remain Part of the Computer Security Material Weakness\n\n                                   critical security process without colluding with another\n                                   employee. For example, system administrators should not\n                                   be able to make unauthorized changes to computer\n                                   configurations without colluding with security\n                                   administrators responsible for detecting unauthorized\n                                   changes to the configurations.\n                                   To address the segregation of duties material weakness area,\n                                   the IRS planned and completed the following actions:\n                                      \xe2\x80\xa2   Defined and finalized security roles and\n                                          responsibilities, focusing on roles for system\n                                          administration, security administration,\n                                          management, and other related security functions.\n                                      \xe2\x80\xa2   Documented and distributed procedures and\n                                          guidelines that recognize the principle of segregation\n                                          of duties by specifying the responsibilities of key\n                                          employees with security duties.\n                                      \xe2\x80\xa2   Implemented security roles and responsibilities\n                                          relating to segregation of duties.\n                                   The procedures explaining segregation of duties for system\n                                   administrators and security administrators were clear and\n                                   the duties were separated to ensure there were no conflicting\n                                   duties. The issues we identified in other reviews of\n                                   computer security material weakness areas were not\n                                   attributable to weaknesses in segregation of duties.\n                                   Recommendation\n\n                                   2. The Chief, Mission Assurance, has completed actions to\n                                      correct weaknesses regarding segregation of duties and\n                                      should remove this area from the computer security\n                                      material weakness.\n                                   Department of the Treasury policy requires that employees\nMore Actions Are Needed Before\n                                   and contractors with significant security responsibilities\nthe Security Training Material\n                                   receive annual training specific to their security\nWeakness Area Is Downgraded\n                                   responsibilities. The level of training should be\n                                   commensurate with each individual\xe2\x80\x99s duties and\n                                   responsibilities and is intended to promote a consistent\n                                   understanding of the principles and concepts of IT systems\n                                   security. The policy also requires bureaus to have a means\n\n\n                                                                                         Page 7\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                      to track, by name and position, who has received what\n                      training and the costs of the training.\n                      To address the security training material weakness area, the\n                      IRS planned to complete the following actions by\n                      December 31, 2003:\n                           \xe2\x80\xa2   Identify security-related training needs to correspond\n                               to defined security roles and responsibilities and\n                               establish a core curriculum for those positions.\n                           \xe2\x80\xa2   Identify employees with key security\n                               responsibilities.\n                           \xe2\x80\xa2   Validate and update current online and classroom\n                               courses for key personnel.\n                           \xe2\x80\xa2   Communicate training opportunities and guidance to\n                               key personnel on a periodic basis.\n                           \xe2\x80\xa2   Monitor curriculum course participation quarterly.\n                      The IRS took the following actions in Calendar Year 2003\n                      to address the security training material weakness:\n                           \xe2\x80\xa2   Identified available security training courses,\n                               matched courses to specific computer job positions,\n                               and developed a core curriculum for key security\n                               positions.\n                           \xe2\x80\xa2   Designated all Office of Mission Assurance\n                               employees as those employees who have significant\n                               computer security-related duties.\n                           \xe2\x80\xa2   Began development of the Enterprise Learning\n                               Management System (ELMS), which will integrate\n                               with the Department of the Treasury\xe2\x80\x99s human\n                               resources system (HR Connect) and help meet goals\n                               set by the OMB for E-Government14 and E-Training\n                               initiatives.\n\n\n                      14\n                        The President\xe2\x80\x99s Management Agenda established E-Government as\n                      the use of IT and the Internet, together with the operational processes\n                      and people needed to implement these technologies, to deliver services\n                      and programs to constituents, including citizens, businesses, and other\n                      government agencies. E-Government improves the effectiveness,\n                      efficiency, and quality of Federal Government services.\n                                                                                       Page 8\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                      While the IRS initiated actions to address this material\n                      weakness area, several steps were not completed or were not\n                      effective. Specifically, the following steps need further\n                      improvement: identifying employees with key security\n                      responsibilities, effectively communicating the security core\n                      training curriculum and training courses, and periodically\n                      monitoring for course participation.\n                      The Office of Mission Assurance did not identify all\n                      employees with significant computer security-related duties.\n                      The 288 employees identified as having key responsibilities\n                      all reported to the Chief, Mission Assurance. Employees\n                      with significant security duties assigned to the ITS\n                      organization (e.g., system administrators, computer\n                      specialists, and telecommunications specialists) were not\n                      included.\n                      While the IRS developed a core curriculum that lists\n                      specific security classes for various IT positions, the\n                      curriculum and guidance for using the curriculum had not\n                      been effectively communicated to employees.\n                      We interviewed 50 employees from 5 locations who had\n                      significant security responsibilities. Eleven of\n                      15 employees from the Office of Mission Assurance and\n                      24 of 35 employees from the ITS organization were not\n                      aware of the curriculum.\n                      More importantly, employees were not receiving sufficient\n                      training. During the last 2 calendar years, 7 (1 from the\n                      Office of Mission Assurance and 6 from the ITS\n                      organization) of the 50 employees had only 1 training class,\n                      and 9 employees (1 from the Office of Mission Assurance\n                      and 8 from the ITS organization) had not received any\n                      security training.\n                      To monitor course participation, the IRS is touting the\n                      ELMS as a tool to be used by all learners, managers,\n                      training administrators, and instructors. Until this system\n                      becomes fully operational, the IRS is using the Automated\n                      Corporate Education System (ACES) to track and monitor\n                      training classes.\n                      However, information on the ACES is not reliable. We\n                      reviewed the ACES data for 33 employees at the 5 sites we\n                      visited and found that training records were incomplete for\n                                                                            Page 9\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                      11 employees. Recent training classes were not listed,\n                      including e-learning (online) classes.\n                      Inadequate security training for IRS employees with key\n                      security responsibilities has been an ongoing problem. In\n                      January 2004, we reported that employees with key security\n                      responsibilities did not have sufficient training.15 Eight of\n                      29 system administrators we interviewed during that review\n                      did not receive sufficient training to perform their\n                      security-related duties. In addition, weak educational\n                      backgrounds in computer-related courses of some\n                      employees made the need for training even more critical.\n                      Twelve of the 29 system administrators had no formal\n                      computer-related education, and 2 of those did not have any\n                      computer experience prior to getting their current positions.\n                      These results also raised concerns about whether employees\n                      were fully qualified to perform their assigned\n                      responsibilities.\n                      We attribute the inadequate security training to insufficient\n                      emphasis, particularly for those employees whose duties\n                      require them to implement security policies and procedures.\n                      In addition, the Office of Mission Assurance has not\n                      established a minimum number of security-related training\n                      hours, or a time period by which the key employees should\n                      obtain training, and did not clearly establish who was\n                      responsible or accountable for providing computer\n                      security-related training to the key employees.\n                      We believe computer security training should remain as part\n                      of the computer security material weakness. Until\n                      employees with key security responsibilities are adequately\n                      trained, the IRS will have little chance of implementing\n                      effective security controls and computer security will\n                      remain a material weakness.\n                      Recommendations\n\n                      The Chief, Mission Assurance, should:\n                      3. Keep the security training area as part of the computer\n                         security material weakness until all employees with key\n\n                      15\n                       Inadequate Accountability and Training for Key Security Employees\n                      Contributed to Significant Computer Security Weaknesses (Reference\n                      Number 2004-20-027, dated January 2004).\n                                                                                 Page 10\n\x0cComputer Security Roles and Responsibilities and Training Should\n   Remain Part of the Computer Security Material Weakness\n\n                         security responsibilities, not just those in the Office of\n                         Mission Assurance, have been adequately trained.\n                      4. Establish a process to identify employees with key\n                         security responsibilities, monitor their participation in\n                         training courses, and follow up with their managers, if\n                         necessary. In addition, the Chief, Mission Assurance,\n                         should consider requiring a minimum number of\n                         security training hours for all employees with key\n                         security responsibilities, to encourage enrollment in\n                         training classes.\n                      The Chief Information Officer should:\n                      5. Ensure his employees with key security responsibilities,\n                         particularly system administrators and security\n                         specialists, are adequately trained to perform security\n                         duties and tasks.\n\n\n\n\n                                                                             Page 11\n\x0c              Computer Security Roles and Responsibilities and Training Should\n                 Remain Part of the Computer Security Material Weakness\n                                                                                                   Appendix I\n\n\n                          Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the Internal Revenue Service\n(IRS) has effectively resolved the vulnerabilities associated with its computer security material\nweakness. The IRS segregated this material weakness into nine areas,1 three of which are\naddressed in this report: security roles and responsibilities, segregation of duties, and training.\nI.      To determine whether the IRS identified the significant vulnerabilities that need to be\n        corrected before closing the weaknesses, we interviewed Office of Mission Assurance\n        and Information Technology Services (ITS) organization staff and reviewed relevant IRS\n        and Treasury Inspector General for Tax Administration documentation and reports on the\n        IRS\xe2\x80\x99 approach to resolving the material weakness. We specifically followed up on our\n        report on security roles and responsibilities.2\nII.     To determine whether the actions taken to resolve the specific vulnerabilities were\n        sufficient to close the weaknesses, we interviewed IRS staff, reviewed documentation,\n        conducted site visits of IRS validations and corrective actions, and evaluated the actions.\nIII.    To determine whether the actions taken to resolve the vulnerabilities were fully\n        implemented nationwide, we interviewed ITS organization staff and reviewed\n        implementation schedules, coverage of implementation, and methodology behind the\n        implementation.\nIV.     To determine the effectiveness of the IRS\xe2\x80\x99 actions to resolve the specific vulnerabilities,\n        we interviewed 50 employees from the Mission Assurance and ITS organizations\n        at 5 locations (the IRS Headquarters in New Carrollton, Maryland; the\n        Brookhaven, New York , and Memphis, Tennessee, Campuses;3 and the\n        Martinsburg, West Virginia, and Memphis, Tennessee, Computing Centers4), reviewed\n        documentation, and identified criteria for resolving the vulnerabilities. The sites visited\n        were based on IRS offices with high numbers of mainframe systems, Unix-based servers,\n        and Windows-based servers. The employees selected were based on available System\n\n\n\n1\n  The computer security material weakness consists of (1) network access controls; (2) key computer applications\nand system access controls; (3) software configuration; (4) functional business, operating, and program units\nsecurity roles and responsibilities; (5) segregation of duties between system and security administrators;\n(6) contingency planning and disaster recovery; (7) monitoring of key networks and systems; (8) security training;\nand (9) certification and accreditation.\n2\n  Inadequate Accountability and Training for Key Security Employees Contributed to Significant Computer Security\nWeaknesses (Reference Number 2004-20-027, dated January 2004).\n3\n  IRS campuses process paper and electronic submissions, correct errors, and forward data to the Computing Centers\nfor analysis and posting to taxpayer accounts.\n4\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                          Page 12\n\x0c             Computer Security Roles and Responsibilities and Training Should\n                Remain Part of the Computer Security Material Weakness\n        Administrators and Security Specialists who had responsibility over the selected servers\n        in our other material weakness reviews.\n        A.      For the security roles and responsibilities area, we determined if:\n                1.      Federal Information Security Management Act5 (FISMA) reviews were\n                        effective.\n                2.      Managers actively provided employees with security awareness training.\n                3.      Managers reviewed and approved Automated Information System (AIS)\n                        User Registration/Change Requests (Form 5081) for system access\n                        privileges.\n                4.      Weaknesses identified in other computer security material weakness\n                        reviews could be linked to employee rules of behavior and security roles\n                        and responsibilities.\n        B.      For the segregation of duties area, we determined if the following roles were\n                appropriately segregated:\n                1.      Approving and installing system patches and upgrades.\n                2.      Approving, adding, and removing users from systems.\n                3.      Performing system administration, reviewing systems for security\n                        violations, and responding to security violations.\n                4.      Any other key roles identified through the interview process.\n        C.      For the training area, we determined if:\n                1.      IRS managers had identified core skills for security personnel and\n                        employees were familiar with the core training curriculum for their\n                        positions.\n                2.      The Office of Mission Assurance had identified specific security classes\n                        and schedules for security staff.\n                3.      Continuing professional education requirements had been established,\n                        monitored, and met.\n                4.      Security personnel received necessary and relevant training for 33 of the\n                        50 employees where training information was available.\n                5.      Training issues identified from our audit results on the FISMA6 were\n                        addressed.\n\n\n\n5\n Pub. L. No. 107-347, Title III, 116 Stat. 2946 (2002).\n6\n Performance Data for the Security Program Should Be Corrected (Reference Number 2004-20-093, dated\nApril 2004).\n                                                                                                      Page 13\n\x0c            Computer Security Roles and Responsibilities and Training Should\n               Remain Part of the Computer Security Material Weakness\n\n                                                                                Appendix II\n\n\n                           Major Contributors to This Report\n\nMargaret E. Begg, Assistant Inspector General for Audit (Information Systems Programs)\nSteve Mullins, Director\nKent Sagara, Audit Manager\nMary Jankowski, Senior Auditor\nLouis Lee, Senior Auditor\nAbraham B. Millado, Senior Auditor\nCharles Ekholm, Auditor\n\n\n\n\n                                                                                         Page 14\n\x0c           Computer Security Roles and Responsibilities and Training Should\n              Remain Part of the Computer Security Material Weakness\n\n                                                                                Appendix III\n\n\n                                Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Information Technology Services OS:CIO:I\nDirector, Assurance Programs OS:MA:AP\nDirector, Business Systems Development OS:CIO:I:B\nDirector, End User Equipment and Services OS:CIO:I:EU\nDirector, Enterprise Networks OS:CIO:I:EN\nDirector, Enterprise Operations Services OS:CIO:I:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Management Controls OS:CFO:AR:M\nAudit Liaisons:\n       Chief Information Officer OS:CIO\n       Chief, Mission Assurance OS:MA\n\n\n\n\n                                                                                     Page 15\n\x0c'